Solved

Linux iptables firewall -  UDP questions

Posted on 2006-06-12
9
305 Views
Last Modified: 2013-11-16
I'm  securing my linux machine and have properly restriced TCP and ICMP.  Only incoming requests from specific machines are accepted, the machine looks like it doesn't exist to everyone else.  I have a question regarding UDP though.  Can UDP give you away?  I currently have it setup to ACCEPT all incoming and outgoing UDP packets b/c I don't understand them well enough to restrict them.  I know they're used for DNS, Time, Etc, but if I'm not running a DNS or Time server, what could a remote machine learn about me by sending me UDP packets?

From what I've read, it appears that UDP requests are just dropped unless they're sent to a running service that's setup to respond.  If this is true, no services = no responses making UDP filtering unnecessary.  Is that right? or am I missing something?
0
Comment
Question by:philjones85
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16893365
As long as the service implementing that UDP port number is not working, it is the same as the port being closed.
However, using iptables you could set it up to accept only UDP from machines you trust ...

Cheers
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16929796
As well UDP can be a dead giveaway for alot of "firewall" products. Alot of the personal firewalls simply accept UDP packets and do not respond properly therefore showing to a scanner as all UDP ports open.. Dead giveaway about a machine

However I would simply just throw in a rule such as rafael mentioned

ie Assuming trusted lan is 192.168.0.x

Iptables -A blah -p udp -s 192.168.0.0/24 -j Accept
Iptables -A blah -p udp -j DROP
0
 
LVL 6

Author Comment

by:philjones85
ID: 16929827
i'm not running a pre-made "personal firewall" software app, i'm coding this by hand in vi using iptables, its a very basic 60-70 line firewall.  

"Alot of the personal firewalls simply accept UDP packets and do not respond properly therefore showing to a scanner as all UDP ports open"
what do you mean "do not respond properly"?  i didn't think UDP packets were responded to at all?  how would a non-response indicate anything?  this is what i'm confused about


0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 
LVL 11

Expert Comment

by:rafael_acc
ID: 16930428
When there is an app listening on a specific UDP port, according to how that port is protected by your firewall, that app might respond or not to the "client" (attacker's, scanner's) request. As long a there is no app making use of specific udp ports, you dont really have much to worry about.

A very good site to check how open you are to attackers is www.grc.com (shield up) section.

Cheers
0
 
LVL 6

Author Comment

by:philjones85
ID: 16930906
i don't see how to check UDP through grc.com

"When there is an app listening on a specific UDP port, according to how that port is protected by your firewall, that app might respond or not to the "client" (attacker's, scanner's) request."
so the OS (linux) doesn't respond to random UDP requests like it does to TCP requests?  they're just dropped?
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16931073
Ok ... let's clarify this ...

What do you actually mean by random responses? Can you give a specific example?

As far as I understand you are concened about security when it comes to port scanning. Both Linux and Windows, or any other OS (that works with the tcp/ip stack), reacts based on the same principle which is the one I explained above and I will explain again:

When your computer is configured as a server, it will listen on a specific port. It is just the way TCP/IP Stack works. Now, say a port scanning utility/application scans *randomly* or a list of specific ports, your server will not respond to that scanner unless there is an application "listening" on that port. Further more, once the scanner application gets a response on a port, that port will be declared "open" and therefore a potential attack destination.

Example: Say you have a server with App1 listening on port 10, app2 listening on port 50. Let's suppose I'm an attacker ... So I will lunch a port scan on your IP address and decide to scan ports 0 to 6500. Since you have two your server listenting on ports 10 and 50, my scanner will detect that (because what the scanner does is an attempt to connect to that port and your server would accept the request since it doesn't know this is a port scanner request - it will assume it is  legitimate request) and assume the port is open and therefore I could try and connect to it ....

Now, the attack wouldn't be that simple though!!!! It would depend on the application used on the server. For example, to attack a dns server, different means are used when comparing to attacking a web server.


Let me know if something is left unclear!

0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 250 total points
ID: 16931092
In my attempt to give you a more thorough understanding, I found the link below which I recommend you to check.
http://www.auditmypc.com/freescan/readingroom/port_scanning.asp

It explains port scanning (for both tcp and udp), and some additional useful information.

cheers
0
 
LVL 6

Author Comment

by:philjones85
ID: 16931236
first, i never said "random responses", i said "random requests".  what i mean by that is, a hacker would send "some carefully construed UDP datagram" to "some port that he/she specifies".  for conciseness i referred to that as a "random request"

that article explains it perfectly:

Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an "ICMP Port Unreachable" message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives). Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.

the most important part "If the port is closed, then most operating systems send back an ICMP Port Unreachable message", this would be a dead giveaway if i wasn't blocking ICMP requests.  since i am, i have nothing to worry about.

thank you sir, you answered my question perfectly.
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16931266
I am happy then and you are welcome.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question